A Blog About Exchange & Office 365

Menu

Exchange 2013 – Configure Your Mobile Device Mailbox Policy

Now that Exchange 2013 is RTM and some deployments are being planned, designed and even deployed in some corporations, I am going to have a series of How To’s on configuring some settings that may not be as easy as it once was. Take for example your Mobile Device policies. If we take a look at what is available in the Exchange Administration Console we see that there are only a few settings in the new GUI for Exchange Server:

Now, if we look back at Exchange 2010, we can see that things have changed quite a bit in the GUI:

So how do we configure a more robust and feature rich policy in Exchange Server 2013?

PowerShell

Configuring the Mobile Policies via Powershell in Exchange 2013 is almost exactly the same as in Exchange Server 2010 and the options that can be configured are essentially the same as well.

Below is a comparison of the options for Exchange 2010 and Exchange 2013 when it comes to configuring the ActiveSync or Mobile Device policies (depending on the Exchange version). Differences are noted by the blue text. Some that are highlighted are just named differently in the versions:

Exchange Server 2013

Exchange Server 2010

-AllowBrowser

-AllowBluetooth

-AllowCamera

-AllowBrowser

-AllowConsumerEmail

-AllowCamera

-AllowDesktopSync

-AllowConsumerEmail

-AllowExternalDeviceManagement

-AllowDesktopSync

-AllowHTMLEmail

-AllowExternalDeviceManagement

-AllowInternetSharing

-AllowHTMLEmail

-AllowIrDA

-AllowInternetSharing

-AllowMobileOTAUpdate

-AllowIrDA

-AllowNonProvisionableDevices

-AllowMobileOTAUpdate

-AllowPOPIMAPEmail

-AllowNonProvisionableDevices

-AllowRemoteDesktop

-AllowPOPIMAPEmail

-AllowSimplePassword

-AllowRemoteDesktop

-AllowSMIMEEncryptionAlgorithmNegotiation

-AllowSimpleDevicePassword

-AllowSMIMESoftCerts

-AllowSMIMEEncryptionAlgorithmNegotiation

-AllowStorageCard

-AllowSMIMESoftCerts

-AllowTextMessaging

-AllowStorageCard

-AllowUnsignedApplications

-AllowTextMessaging

-AllowUnsignedInstallationPackages

-AllowUnsignedApplications

-AllowWiFi

-AllowUnsignedInstallationPackages

-AlphanumericPasswordRequired

-AllowWiFi

-ApprovedApplicationList

-AlphanumericDevicePasswordRequired

-AttachmentsEnabled

-ApprovedApplicationList

-Confirm

-AttachmentsEnabled

-DeviceEncryptionEnabled

-Confirm

-DevicePolicyRefreshInterval

-DeviceEncryptionEnabled

-DomainController

-DevicePasswordEnabled

-Identity

-DevicePasswordExpiration

-IrmEnabled

-DevicePasswordHistory

-IsDefault

-DevicePolicyRefreshInterval

-MaxAttachmentSize

-DomainController

-MaxCalendarAgeFilter

-Identity

-MaxEmailAgeFilter

-IrmEnabled

-MaxEmailBodyTruncationSize

-IsDefaultPolicy

-MaxEmailHTMLBodyTruncationSize

-MaxAttachmentSize

-MaxInactivityTimeLock

-MaxCalendarAgeFilter

–MaxPasswordFailedAttempts

-MaxDevicePasswordFailedAttempts

–MinPasswordComplexCharacters

-MaxEmailAgeFilter

-MinPasswordLength

-MaxEmailBodyTruncationSize

-MobileOTAUpdateMode

-MaxEmailHTMLBodyTruncationSize

-Name

-MaxInactivityTimeDeviceLock

-PasswordEnabled

-MinDevicePasswordComplexCharacters

-PasswordExpiration

-MinDevicePasswordLength

-PasswordHistory

-MobileOTAUpdateMode

-PasswordRecoveryEnabled

-Name

-RequireDeviceEncryption

-PasswordRecoveryEnabled

-RequireEncryptedSMIMEMessages

-RequireDeviceEncryption

-RequireEncryptionSMIMEAlgorithm

-RequireEncryptedSMIMEMessages

-RequireManualSyncWhenRoaming

-RequireEncryptionSMIMEAlgorithm

-RequireSignedSMIMEAlgorithm

-RequireManualSyncWhenRoaming

-RequireSignedSMIMEMessages

-RequireSignedSMIMEAlgorithm

-RequireStorageCardEncryption

-RequireSignedSMIMEMessages

-UnapprovedInROMApplicationList

-RequireStorageCardEncryption

-UNCAccessEnabled

-UnapprovedInROMApplicationList

-WhatIf

-UNCAccessEnabled

-WSSAccessEnabled

-WhatIf

-WSSAccessEnabled

The main differences are name changes for the options and the dropping of Bluetooth in the options configuration:

Exchange Server 2013

Exchange Server 2010

-AllowBluetooth

-AllowSimplePassword

-AllowSimpleDevicePassword

-AlphanumericPasswordRequired

-AlphanumericDevicePasswordRequired

-PasswordEnabled

-DevicePasswordEnabled

-PasswordExpiration

-DevicePasswordExpiration

-PasswordHistory

-DevicePasswordHistory

-IsDefault

-IsDefaultPolicy

-MaxInactivityTimeLock

-MaxInactivityTimeDeviceLock

-MaxPasswordFailedAttempts

-MaxDevicePasswordFailedAttempts

-MinPasswordComplexCharacters

-MinDevicePasswordComplexCharacters

-MinPasswordLength

-MinDevicePasswordLength

On to configuring! First step is to create a new policy for your mobile active sync devices. The cmdlet we use here is ‘New-MobileDeviceMailboxPolicy’. Here is an example of this command used to create a new policy for your IT department:

Now we have a basic policy that enforces an alphanumeric password with three types of characters and has a ten password history.

Once we have a policy created we can verify the policies that are enabled in Exchange with the Get-MobileDeviceMailboxPolicy PowerShell command:

Now let’s say that in the future you are required to change some of the settings in your policy. For example you are required to have a 15 password history and allow password recovery. For this we can use the ‘Set-MobileDeviceMailboxPolicy’:

If you need to remove a policy, simply use the Remote-MobileDeviceMailboxPolicy command:

*** The Set-ActiveSyncMailboxPolicy cmdlet will be removed in a future version of Exchange. Use the Set-MobileMailboxPolicy cmdlet instead. If you have any scripts that use the Set-ActiveSyncMailboxPolicy cmdlet, update them to use the Set-MobileMailboxPolicy cmdlet.